-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cloudfront): add new check cloudfront_distributions_s3_origin_non_existing_bucket
#4996
base: master
Are you sure you want to change the base?
Conversation
…o PRWLR-4298-add-new-cloud-front-check-to-ensure-distributions-do-not-point-to-non-existent-s-3-origins pull changes in cloudfront service
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:partition:cloudfront:region:account-id:distribution/resource-id", | ||
"Severity": "high", | ||
"ResourceType": "AWSCloudFrontDistribution", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"ResourceType": "AWSCloudFrontDistribution", | |
"ResourceType": "AwsCloudFrontDistribution", |
@@ -0,0 +1,34 @@ | |||
{ | |||
"Provider": "aws", | |||
"CheckID": "cloudfront_s3_origin_non_existent_bucket", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"CheckID": "cloudfront_s3_origin_non_existent_bucket", | |
"CheckID": "cloudfront_distributions_s3_origin_non_existent_bucket", |
for origin in distribution.origins: | ||
report.status = "FAIL" | ||
report.status_extended = f"CloudFront Distribution {distribution.id} has a non-existent bucket as S3 origin: {origin.domain_name} or it is out of Prowler's scope." | ||
for bucket in s3_client.buckets.values(): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you extract the bucket name from the domain name and check if it exists in the dictionary without iterating the whole dict?
|
||
for origin in distribution.origins: | ||
report.status = "FAIL" | ||
report.status_extended = f"CloudFront Distribution {distribution.id} has a non-existent bucket as S3 origin: {origin.domain_name} or it is out of Prowler's scope." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
report.status_extended = f"CloudFront Distribution {distribution.id} has a non-existent bucket as S3 origin: {origin.domain_name} or it is out of Prowler's scope." | |
report.status_extended = f"CloudFront Distribution {distribution.id} has a non-existent S3 bucket {origin.domain_name} as the origin or the S3 bucket is out of Prowler's scope." |
"CheckID": "cloudfront_s3_origin_non_existent_bucket", | ||
"CheckTitle": "CloudFront distributions should not point to non-existent S3 origins.", | ||
"CheckType": [ | ||
"NIST 800-53 Controls" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, check this.
...ions_s3_origin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.py
Outdated
Show resolved
Hide resolved
Please, check if the S3 bucket exists in AWS with something like: If the bucket does not exist, you will receive a |
…sure-distributions-do-not-point-to-non-existent-s-3-origins
...gin_non_existent_bucket/cloudfront_distributions_s3_origin_non_existent_bucket.metadata.json
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, use MagicMock here.
Context
Configuring Amazon CloudFront distributions to point to non-existent S3 origins poses a significant security risk. If the S3 bucket no longer exists, a malicious third party could potentially create a bucket with the same name and serve unauthorized content through your distribution. This could lead to data integrity issues and potential exploitation.
Ensuring that CloudFront distributions are properly configured to point only to valid and existing S3 buckets is essential for maintaining a secure and controlled environment.
Description
The
cloudfront_distributions_s3_origin_non_existing_bucket
check ensures that CloudFront distributions are not pointing to non-existent S3 buckets. If an origin is linked to a non-existent bucket, the check fails, as it increases the risk of unauthorized control over the distribution's content. This check ensures that all origins are correctly configured to mitigate potential security risks.Checklist
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.